add disable password auth prompt with SSH restart warning to hub and spoke scripts

spoke/setup-spoke.sh

@@ -123,6 +123,41 @@ else
     warn "Could not enable SSH service — please start it manually."
 fi
 
+header "Password Authentication"
+read -rp "Disable password auth for $SPOKE_USER and use keys only? [Y/n]: " DISABLE_PASS
+DISABLE_PASS="${{DISABLE_PASS:-y}}"
+if [[ "${{DISABLE_PASS,,}}" == "y" ]]; then
+    if [ ! -s "$SSH_DIR/authorized_keys" ]; then
+        warn "No keys found in $SSH_DIR/authorized_keys — skipping password auth disable to avoid lockout."
+    else
+        if grep -q "^PasswordAuthentication" "$SSHD_CONF"; then
+            sed -i "s/^PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONF"
+        else
+            echo "PasswordAuthentication no" >> "$SSHD_CONF"
+        fi
+        if grep -q "^PubkeyAuthentication" "$SSHD_CONF"; then
+            sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONF"
+        else
+            echo "PubkeyAuthentication yes" >> "$SSHD_CONF"
+        fi
+        info "Password authentication disabled for $SPOKE_USER."
+        echo ""
+        warn "Restarting SSH will apply the new settings."
+        warn "If you are connected via SSH, your session may drop."
+        warn "Make sure you can reconnect using your key before continuing."
+        read -rp "Press ENTER to restart SSH or CTRL+C to abort..."
+        if systemctl restart ssh 2>/dev/null; then
+            info "SSH restarted."
+        elif systemctl restart sshd 2>/dev/null; then
+            info "SSH restarted."
+        else
+            warn "Could not restart SSH — please restart it manually."
+        fi
+    fi
+else
+    info "Password authentication left enabled."
+fi
+
 header "Hostname Setup"
 CURRENT_HOSTNAME=$(hostname)
 echo -e "Current hostname: ${YELLOW}$CURRENT_HOSTNAME${NC}"